Internet shopping, network online games, network financial transactions, electronic commercial activities and the like have recently become indispensable or prevalent in people's daily lives. However, at the same time, malicious disruptive behaviors or sabotage by cyber hackers has also become more prevalent. These disruptive behaviors or sabotage can be classified into following categories:
1. Malicious Use of Trojan Horse Programs: Trojan horse, or Trojan, programs are malware that appears to perform a desirable function for the user but instead facilitates unauthorized access of the user's computer system. In computer science, the Trojan horse is a program that appears to be legitimate but is designed to have destructive effects. For example, the Trojan horse may be used to steal password information, make a system more vulnerable to future unauthorized entries, or simply destroy the programs or data on a hard disk. Once a Trojan horse is installed on a target computer system, a hacker may access the computer remotely and perform various operations including:
Use of the machine as a part of a botnet to perform automated spamming;
Data theft such as retrieving passwords or credit card information;
Installation of software, including third-party malware;
Downloading or uploading of files on the user's computer;
Modification or deletion of files;
Keystroke logging;
Watching the user's screen;
Wasting the computer's storage space; and crashing the computer.
2. Phishing Scams: In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication via forged email and a website that spoofs or appears to be that of a legitimate business in order to trick the victim into divulging personal confidential information such as banking account numbers, credit card information, and the like (this definition is from the Anti-Phishing Working Group (APWG), an industry and law enforcement association.
3. Man-in-the-Middle Attacks: In cryptography, the man-in-the-middle attack (MITM attack) is a form of active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker is able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances so that the attacker can perform financial transactions with real banking websites while interactively gulling the victimized Internet user out of confidential information to incur monetary loss for the victimized Internet user.
In order to prevent damage from the above-listed types of network attacks, it has been proposed to use a countermeasure in the form of a dynamic One-Time Password (OTP), which is only valid for a single login session or transaction and therefore is less susceptible to replay attacks than a traditional memorized static password The OTP may be by an organization known as an “OTP dynamic password authentication unit.” The main algorithm for the generation and delivery of OTP is based on randomness. The dynamic password is generated in an irregularly stochastic manner with a different password for each internet transaction of the internet user. If a potential intruder manages to record an OTP that has already been used to log into a service or to conduct a transaction, he or she will not be able to abuse it since it is no longer valid. As a result, even when a hacker successfully intercepts a used OTP, he/she cannot reuse the invalid used OTP or forecast a next valid new OTP to jeopardize the targeted Internet user. Therefore, the features of unpredictability, un-repeatability and one-time validity of the OTP make the OTP one of the most effective authentication solutions to solve the issues of identity authentication and preventing various cybercrimes carried out by hacker attacks via malware, phishing, spy-ware, man-in-the-middle (MITM), and the like. The conventional authentication method using a dynamic password is illustrated in FIG. 1 including the following steps:
A. An Internet user submits an enrollment application to become a member of an “OTP dynamic password authentication unit” to get an “account number” and “password” issued to the user;
B. The Internet user accesses any website associated with the “dynamic password authentication unit” by a website accessing browser and clicks on a “dynamic password authentication web-page”;
C. The Internet user inputs the “account number” and “password” issued upon membership enrollment application into respective corresponding fields of “account number” and “password” in the “dynamic password authentication web-page”;
D. After having received the “account number” and “password” input by the Internet user, the “OTP dynamic password authentication unit” will generate a set of “dynamic passwords” and make a phone call to transmit it via short message to the cellular phone designated by the Internet user for informing him or her of the current “dynamic password”;
E. The Internet user then inputs his or her own current “dynamic password” into “dynamic password authentication fields” in the “dynamic password authentication web-page” of the online website, after having read the current “dynamic password” received from the short message on his/her cellular phone;
F. The online website will relay the “dynamic password” into a computer authentication system of the “OTP dynamic password authentication unit” to perform matching comparison with the “dynamic password” previously provided to the targeted Internet user via short message. During the matching comparison of the “dynamic password,” the “dynamic password authentication web-page” of the online website will flag a phrase “login is successful” if no discrepancy is found, or a phrase “login has failed” if any discrepancy is found.
Although the above-described conventional dynamic password based authentication method has been adopted by some financial banks, online games and organizations since it was introduced and promoted, growth has been retarded since 2007 by the following bottlenecks:
1. Accessibility of cellular phones to the Internet has increased, making the dynamic password sent to the cellular phone more vulnerable. The first cellular virus “Cabir” and second cellular virus “CommWarrior” were created in June, 2004 and January, 2005 respectively. The “Cabir” virus causes an infected cellular phone to search and connect to a Bluetooth-enabled cellular phone nearby and send information to the connected cellular phone continuously, draining the battery as it keeps on seeking other Bluetooth connections. The “CommWarrior” virus is a cellular phone virus capable of replicating via Multimedia Messaging Service messages (MMS), which are text messages with images, audio or video data to be sent from one phone to another or via email. Before the arrival of “CommWarrior,” cellular phone viruses only spread over Bluetooth, and thus only nearby cellular phones were to be affected, but the “CommWarrior” (MMS) virus can affect all the cellular phones and potentially spread as quickly as an email worm, results in expensive losses caused by continuous short message sending by the infected cellular phones. In July, 2007, the Spanish police bureau arrested the hacker, a man of 28 years of age, who created “Cabir” and “CommWarrior.” There are over 115 thousand Symbian based smart phones affected by these two viruses.
After 2007, some cellular phone viruses were further improved to concealed themselves covertly. The Market Intelligence & Consulting Institute (MIC) of the Institute for Information Industry (Taiwan) points out that current cellular phone viruses are clever enough to hide themselves in a short message for propagation. Once a user opens the short message, this kind of malware is installed and runs quietly in the background to snatch and steal information in the affected cellular phone, and even to capture conversations covertly. Even worse, this kind of malware can copy or delete critical information such as a personal address book, short messages, calendar, bank account details, passwords and the like silently so that the user is not aware of it at all. Because each “dynamic password” in the above step D is transmitted to the Internet user via telephone short message, each “dynamic password” can be known by a hacker once he/she invades the cellular phone of the target Internet user by using spyware. Then, the hacker can easily pretend to be the target Internet user to cheat the authentication system of the “OTP dynamic password authentication unit” and defeat the function of the conventional dynamic password authentication method.
2. As described in the above step D, the “OTP dynamic password authentication unit” will generate a set of “dynamic password” and make a phone call to transmit it via short message to the cellular phone designated by the Internet user. The problem is that the expense for the short message is charged to an Internet Service Provider (ISP), which cooperates with the “OTP dynamic password authentication unit,” and that, accordingly, the Internet Service Provider (ISP) is liable not only for the expense of normal short messages but also the extra expense of abnormal or invalid short messages incurred by malware issued from competitors and hackers. Consequently, the advantage of using the “OTP dynamic password authentication mechanism” is reduced due to the unpredictable extra expense and growth in using the conventional dynamic password authentication method has slowed.
3. Another problem is that, as described in the above step D, when the “OTP dynamic password authentication unit” generates a set of “dynamic passwords” and makes a phone call to transmit it via short message to the cellular phone designated by the Internet user, the OTP transmission uses the MT (Mobile Terminated) Mode, which is not guaranteed to be a real time and successful transmission, and can lead to a fatal authentication delay and/or mistake.
4. Furthermore, as described in the above step D, because the “OTP dynamic password authentication unit” generates a set of “dynamic passwords” and makes a phone call to transmit it via short message to the cellular phone designated by the Internet user, the Internet user must be in the status of receiving the “OTP short message” from anyone at anytime, which leads to a new fraudulent crime of “OTP short message phishing,” in which the attacker constantly sends a fraudulent “OTP short message” to the victim constantly and causes the victim to panic, thinking that his/her Internet account or banking account is under attack. Then the attacker guides the victim to follow his orders to cheat the victim and get the victim's properties.
5. Finally, yet another problem with use of short messaging to transmit dynamic passwords has to do with tampering with the caller ID function of the telephone display. Ever since the Internet and the Public Switched Telephone Network (PSTN) have been interlinked together, most telephone frauds can be done by malware propagation via the Internet, in which hackers associate with fraudulent phone call gangsters to remotely fiddle with the “Caller ID” in the telephone display to cause the call to appear to be from a legitimate telecommunication company, law court, bank, procurement office or the like of a government agency, causing victims to let down their guard and install malware arranged to cheat the targeted victims and perform telephone fraud. Such telephone fraud happens again and again, and is getting worse to the point where it is becoming an overwhelming situation. It is extremely critical to find a way to control and stop these kinds of crimes.